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Abstract 

This article investigates the physical-layer security of cognitive radio (CR) networks, which are 
vulnerable to various newly arising attacks targeting on the weaknesses of CR communications and 
networking. We first review a range of physical-layer attacks in CR networks, including the primary 
user emulation, sensing falsification, intelligence compromise, jamming and eavesdropping attacks. Then 
we focus on the physical-layer security of CR networks against eavesdropping and examine the secrecy 
performance of cognitive communications in terms of secrecy outage probability. We further consider the 
use of relays for improving the CR security against eavesdropping and propose an opportunistic relaying 
scheme, where a relay node that makes CR communications most resistant to eavesdropping is chosen to 
participate in assisting the transmission from a cognitive source to its destination. It is illustrated that the 
physical-layer secrecy of CR communications relying on the opportunistic relaying can be significantly 
improved by increasing the number of relays, showing the security benefit of exploiting relay nodes. 
Finally, we present some open challenges in the field of relays assisted physical-layer security for CR 
networks. 
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I. Introduction 

Cognitive radio (CR) [1], [2] emerges as an intelligent radio communications system that is 
capable of learning its surrounding context and reconfiguring its operating parameters adapted 
to the time-varying environment. As an enabling technology for spectrum sharing, CR allows an 
unlicensed user, also called cognitive user (CU), to sense the radio-frequency (RF) environment 
for detecting whether spectrum bands licensed to primary users (PUs) are occupied by PUs or 
not [3]. If a licensed band is detected to be unoccupied by PUs, meaning that a spectrum hole 
is identified, then the CU changes its communications parameters for the sake of transmitting 
over the detected spectrum hole. Until now, extensive efforts have been devoted to the research 
and development of CR spectrum sharing systems from different aspects in terms of spectrum 
sensing, spectrum shaping, spectrum access, and spectrum management [4], [5]. 

As aforementioned, the physical layer of CR networks is supposed to have the ability of 
sensing and learning its surrounding RF environment. This, however, is also a critical weakness 
to be exploited by an adversary for launching malicious activities [6]. For example, the adversary 
can emit an interfering signal with an intention to modify the actual RF environment, leading 
legitimate CUs to be misled, compromised and malfunctioned. Also, due to the broadcast nature 
of radio propagation, any network node within a CU’s transmit coverage can overhear the CU’s 
confidential communications and may illegally interpret the confidential information. Therefore, 
the highly dynamic and open nature of the CR physical layer makes cognitive communications 
become extremely vulnerable to various malicious activities resulted from both the internal and 
external attacks. 

Recently, the physical-layer security of CR networks has attracted an increasing research 
attention [7]. Considerable studies have been conducted to protect CR communications against 
the primary user emulation attack (PUEA) and denial-of-service (DoS) attack. Specifically, a 
PUEA intends to emulate a PU and transmits a radio signal with the PU’s characteristics over a 
licensed band, misleading that the band is detected to be occupied by the PU and denied to be 
accessed by legitimate CUs [8]. By contrast, a DoS attacker emits a radio signal (not necessarily 
with the same characteristics as the PU’s signal) to interfere with the signal reception at legitimate 
CUs for disrupting CR communications services [9], which is also known as a jammer. It needs 
to be pointed out that both the PUEA and jammer transmit active signals, which may be detected 
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by legitimate CUs so that certain prevention strategies can be adopted. 

In addition to the active PUEA and jammer, cognitive transmission is also vulnerable to an 
eavesdropper, which is a passive attacker and becomes undetectable, since the eavesdropper just 
overhears and interprets the CR transmission without transmitting any active signals. Generally, 
cryptographic techniques relying on secret keys are adopted for protecting the transmission con¬ 
fidentiality against eavesdropping, which, however, introduces an additional system complexity 
resulted from the secret key management. Moreover, the secret key distribution relies upon a 
trusted infrastructure, which may be unavailable and even compromised in some cases. To this 
end, physical-layer security is now emerging as a promising paradigm by exploiting physical 
characteristics of wireless channels to achieve the perfect secrecy against eavesdropping in an 
information-theoretic sense [10]. This also has a great potential to address the security of CR 
communications against eavesdropping. 

In this article, we are motivated to examine the security of physical-layer communications for 
CR networks. We first present an in-depth overview of CR physical-layer attacks in Section II, 
including the PUEA, sensing falsification, intelligence compromise, jamming and eavesdropping 
attacks. Next, we examine the CR physical-layer security in the face of an eavesdropper in 
Section III and show that increasing the transmit power is not always beneficial in terms of 
defending against eavesdropping. In Section IV, we propose the employment of opportunistic 
relaying for protecting the security of CR communications, which is shown to be an effective 
means, especially with an increasing the number of relays. Finally, we present a range of open 
challenging issues in Section V, followed by Section VI, where some concluding remarks are 
provided. 


II. Physical-Layer Attacks in CR Networks 

In this section, we focus on discussing physical-layer attacks in CR networks. As shown in Fig. 
1, a CR cycle is comprised of three typical stages, namely the observation, reasoning and action. 
Although these three cognitive stages enable a CU to learn its surrounding RE environment 
and adapt its transmission parameters to any changes in the environment, they are vulnerable to 
various attacks and introduce additional security threats. Table I summarizes various physical- 
layer attacks in the observation, reasoning and action phases, including the PUEA, sensing 
falsification, intelligence compromise, jamming and eavesdropping attacks, which are detailed 
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Fig. 1. Illustration of a typical CR cycle. 


in the following. 

A. PUEA 

PUEA refers to an attacker that emulates a PU by transmitting radio signals with the same 
characteristics as the PU, which prevents legitimate CUs to distinguish the real PU’s signal from 
the PUEA’s faked one. In order to defend against PUEA, a so-called transmitter verification 
scheme was proposed in [8] by exploiting the location information to verify whether a signal is 
transmitted from a PU or not. It was assumed in [8] that the PU and PUEA are spatially separated 
and, moreover, the PU’s location is known. However, the location information of PU may be 
unavailable in some cases. As a consequence, an authentication approach could be employed to 
differentiate the legitimate PU from PUEA. To be specific, the legitimate PU is registered, whose 
identity information e.g., the media access control (MAC) address is pre-stored and authenticated. 
By contrast, the PUEA is typically not registered and its identity remains unknown to legitimate 
users. 

B. Sensing Falsification 

A sensing falsification attacker intends to falsify the spectrum observation and inject its 
fabricated results to CR networks for the sake of intentionally misleading legitimate CUs. 
Typically, the sensing falsification attackers are sparsely distributed and only a small fraction of 
the total network nodes. Thus, the majority voting is an effective means to mitigate the adverse 


July 3, 2015 


DRAFT 


TABLE I 

Summarization of physical-layer attacks in different stages of the CR cycle. 


5 


CR cycle 

Attack types 

Characteristics & features 

Observation 

PUEA 

Emulating a primary user (PU) and emitting radio 
signals with the same ehraeteristies as the PU 

Sensing falsifieation 

Falsifying speetrum sensing results for the sake of 
intentionally misleading eognitive users 

Reasoning 

Intelligenee eompromise 

Inserting malware to malieiously alter the learning 
and reasoning algorithms 

Aetion 

Jamming 

Disrupting legitimate eognitive transmissions by 
emiting radio interferenee 

Eavesdropping 

Intereepting eonfidential information transmissions 
between eognitive users 


impact of fabricated observation results on the spectrum sensing performance. As an alternative, 
a data-cleansing based robust spectrum sensing approach was proposed in [11], where the 
sparsity of the falsification attack is exploited to effectively filter out the abnormal sensing data. 
It was shown that the data-cleansing based robust spectrum sensing significantly outperforms 
conventional spectrum sensing methods in terms of improving the detection probability and false 
alarm probability in the presence of falsified sensing data. 

C. Intelligence Compromise 

The intelligence compromise is a legitimate CU compromised by an adversary, which mali¬ 
ciously inserts malware into the legitimate CU for the sake of altering its learning and reasoning 
algorithms, resulting in a negative impact on the node intelligence. An intelligence compromise 
attacker would inflict damage on the spectrum learning and predication, which may even make 
the whole CR network become paralyzed. The intelligence compromise may be just a legitimate 
CU that is captured and slaved by the adversary, which is thus considered as an inside attacker. 
Since the intelligence compromised legitimate CU infected by malware still has valid identity, 
it is difficult to detect and identify the presence of an intelligence compromise attacker. To this 
end, the automatic code patch is a promising paradigm to protect legitimate CUs against the 
intelligence compromise, which enables a legitimate CU to be periodically updated. If the code 
patch fails, it indicates that the legitimate CU may be compromised by an adversary. 
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D. Jamming 

A jamming attacker (also known as jammer) attempts to emit a radio signal for interfering with 
the desired communications between legitimate CUs. As shown in Fig. 1, after identifying an 
available spectrum opportunity in the observation and reasoning stages, a legitimate CU would 
be scheduled to transmit its signal to its intended destination over the detected spectrum hole. 
Due to the broadcast nature of radio propagation, a jammer can easily disrupt the legitimate 
transmissions between CUs by sending a radio interference with sufficiently high power. If a 
jammer is present to interfere with the cognitive transmission, the received signal strength (RSS) 
and bit error rate (BER) experienced at the desired destination would significantly increase, 
which can thus be considered as appropriate indicators for detecting the jamming attack. For 
example, an unusually high RSS (or an excessive BER) may indicate the presence of a jammer. 
Additionally, spread spectrum is considered as an effective means of defending against jamming 
attacks. The main spread spectrum techniques include the frequency hopping spread spectrum 
(EHSS) and direct-sequence spread spectrum (DSSS). 

E. Eavesdropping 

An eavesdropping attacker is to intercept the confidential information transmissions of le¬ 
gitimate CUs. The broadcast nature of wireless propagation makes the cognitive transmissions 
vulnerable to the eavesdropping attack. When a legitimate CU transmits its data over a detected 
spectrum hole, any network node within the CU’s transmit coverage is capable of overhearing 
and tapping the CU’s transmission. Presently, the cryptography is adopted to protect the com¬ 
munications confidentiality against eavesdropping. The success of cryptography typically relies 
on a trusted infrastructure, which, however, may be compromised and becomes untrustworthy 
[12]. To this end, the information-theoretic security emerges for cognitive radio transmissions 
by exploiting physical characteristics of wireless channels, referred to as physical-layer security 
[7], which will be discussed in details in what follows. 

III. Physical-Layer Security oe Cognitive Radio Communications 

This section presents the physical-layer security of cognitive transmissions from a cognitive 
source (CS) to its cognitive destination (CD) in the presence of an eavesdropper. As shown in 
Fig. 2, CS first performs spectrum sensing to detect whether or not a spectrum band is occupied 
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Fig. 2. A channel model for the secrecy coding based cognitive radio communications. 

by a primary source (PS) transmitting to its primary destination (PD). If PS is detected to be 
actively transmitting, CS is not allowed to access the spectrum band for avoiding interfering with 
the reeeption of PS’ signal. If PS is detected to be inaetive and thus an available spectmm hole 
is identified, CS would transmit its data to CD over the detected spectrum hole. For notational 
convenience, let Pq represent the probability that the spectrum band becomes unoccupied by PS. 
Additionally, the probability of detection of the presence of PS is denoted by P^, whilst Pf is 
the probability of false alarm of the presence of PS. 

Once a spectrum hole is detected, CS switches on transmitting its confidential data to CD, 
which may also be overheard by an eavesdropper (E) due to the broadcast nature of radio 
propagation. It is proved in [10] and [15] that when the main ehannel (from CS to CD) has a better 
eondition than the wiretap channel (from CS to E), physieal-layer seeurity ean aehieve the perfect 
secrecy against eavesdropping. The secrecy capacity is shown as the difference between the 
eapaeity of the main channel and that of the wiretap channel, whieh is the maximum rate at which 
CS can reliably and securely transmit to CD. In order to aehieve the seerecy capacity, various 
secrecy codes (e.g. polar code and lattice code) are devised for practical wireless systems. As 
shown in Fig. 2, a seerecy encoder (e.g. polar eode) encapsulates the CS’ confidential data w (with 
a seerecy rate of Rg) into an overall codeword x (with an increased rate of Ro). The rate inerease 
Ri = Ro — Rg represents extra redundancy, which is the cost of providing additional secrecy 
against eavesdropping. As shown in [12], if the rate eost Ri is higher than the eapaeity of the 
wiretap ehannel, the perfeet secreey can be achieved, i.e., the CS’ data transmission is eompletely 
secure. Otherwise, the eavesdropper would succeed in intercepting the CS’ transmission and a 
seerecy outage event happens in this case. 


July 3, 2015 


DRAFT 



























8 

Next, CS transmits its codeword x to CD at a power of Pg, which is scaled with a wireless 
fading hgd of the main channel and deteriorated by an additive white Gaussian noise (AWGN) 
rid. Meanwhile, the codeword transmission is also overheard by E over the wiretap channel, 
where a wireless fading hge and an AWGN Ue are encountered. Throughout this article, both 
the main channel and wiretap channel are independent of each other and modeled as Rayleigh 
fading, implying that \hsd\‘^ and |/iseP are independent exponential random variables (RVs) with 
respective means of and Moreover, the AWGNs received at the CD and E are assumed 
to be with zero mean and a variance of Nq. It is worth mentioning that the miss detection of the 
presence of PS may happen due to the background noise, which would cause mutual interference 
between the primary and cognitive users. To limit the mutual interference level, IEEE 802.22 
standard requires Pd > 0.9 and Pf < 0.1 [2], which is used throughout this article. The transmit 
power of PS is represented by Pp. In addition, fading magnitudes of the wireless channels from 
PS to CD and E are, respectively, denoted by |/ipsp and \hpe\‘^, which are independent exponential 
RVs with respective means of and cr^g. 

In order that CS can achieve an ergodic capacity of the main channel, the codeword rate Ro 
is set to Csd which represents an instantaneous capacity of the CS-CD channel. Similarly, an 
instantaneous capacity of the wiretap channel (from CS to E) is denoted by Cge- As discussed 
above, a secrecy outage event occurs when the wiretap channel capacity becomes higher than the 
rate cost Ri. It needs to be pointed out that CS starts transmitting its data only when a spectrum 
hole is detected. Hence, the probability of occurrence of secrecy outage event (called secrecy 
outage probability) is calculated under the condition that the spectrum band is detected to be 
unoccupied by PS. Hence, the secrecy outage probability of CS-CD transmissions is given by 

Pgout = Pr {Cse > Ri\Ho) = Pr {Cgd - Cg^ < Rs\Ho) , (1) 

where Hq means that the spectrum band is detected idle. In Fig. 3, we show the secrecy outage 
probability versus signal-to-noise ratio (SNR) 7 * = Pg/No of cognitive radio communications 
for different secrecy rates with Pq = 0.8, 7 ^ = Pp/N q = 5dB, = 1, = 0.2, and 

^L = o.i. It needs to be pointed out that the primary and secondary users are spatially separated 
in two different wireless networks, thus a channel gain between two heterogeneous users from 
different wireless networks (e.g. is set to be smaller than that between two homogeneous 
users from the same network (e.g. [5], [14]. Moreover, following the physical-layer security 


July 3, 2015 


DRAFT 


9 



Fig. 3. Secrecy outage probability versus SNR 7 ^ for different secrecy rates. 

literature [7], [10] and [15], the wiretap channel is typically assumed to be a degraded version 
of the main channel, and thus the gain of wiretap channel cr^g is considered to be less than that 
of the main channel (^sd- 

As shown in Fig. 3, as the secrecy rate increases from Rg = 0.1 bit/s/Hz to 0.5 bit/s/Hz, the 
secrecy outage probability of cognitive radio communications increases accordingly. This means 
that the physical-layer security degrades with an increased rate, showing a tradeoff between the 
security and throughput. One can also see from Fig. 3 that as the SNR 7 ^ increases, the secrecy 
outage probability initially decreases and finally converges to a constant value. It implies that 
a secrecy outage floor happens in high SNR region, which can not be improved by increasing 
the transmit power. This is because that although increasing the transmit power can improve the 
received signal strength at the legitimate CD, an enhanced signal version is also received at the 
eavesdropper, which leads to the fact that no secrecy outage improvement is achieved with an 
increasing transmit power, i.e., a secrecy outage floor occurs in high SNR region. We are thus 
motivated to explore how the secrecy outage floor can be reduced by using e.g. opportunistic 
relaying, as will be discussed in the following section. 

IV. Opportunistic Relaying for Enhancing Physical-Layer Security 

In this section, we examine the employment of opportunistic relaying for the enhancement of 
physical-layer security in CR networks. As shown in Fig. 4, N relay nodes (RNs) are assumed 
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Fig. 4. A cognitive relay network consists of one CS, one CD and N RNs in the presence of an E. 


to be available for assisting the transmission from CS to CD, where the amplify-and-forward 
(AF) protocol is considered when RNs retransmit the CS’ data to CD. To be specific, when a 
spectrum hole is detected, CS first transmits its signal x to CD, which can be overheard by E 
and N RNs. In the opportunistic relaying, only a single RN will be chosen among the N RNs 
to forward an amplified version of its received signal using a scaling factor (without any sort of 
decoding), which is also overhead by E for interception purposes. In this way, both CD and E 
can receive two copies of the CS’ signal, which are transmitted from the CS and the selected 
RN, respectively. Eor simplicity, the selection diversity combining (SDC) method is considered 
for both the CD and E, meaning that a received signal with higher SNR is adopted for decoding 
the CS’ signal. 

Given N RNs available in CR networks of Eig. 4, the opportunistic relaying chooses the “best” 
RN to participate in forwarding the CS’ transmission to CD, aiming to maximize the cognitive 
physical-layer security against eavesdropping. Without loss of generality, we consider that RNj 
is selected among N RNs, which first performs a coherent reception of the CS’ signal and 
then forwards its received signal with a scaling factor for normalization. Due to the broadcast 
nature of radio propagation, both CD and E can receive the RN/s signal retransmission and the 
corresponding signal-to-interference-and-noise ratio (SINR) at CD given by 


SINR*^ = 


1 hsi 



1 hi(i\ 

H\hp^\ 

pa;7p + 1) + \hsi\ 

\'^i\hpd\‘^0'7p + 1) 


( 2 ) 
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where hgi, hid, hpi and hpd represent the CS-RN,, RN^-CD, PS-RN, and PS-CD channels, 
respectively. Moreover, the parameter a is given by 0, when the spectrum band is idle (i.e., 
no primary signal is transmitted from PS). By contrast, if the band is currently occupied by 
PS, then a is set to 1. Meanwhile, the SINR received at E denoted by SINR* can be similarly 
obtained by replacing hid and hpd in (2) with hie and hpe which represent the RNj-E and PS-E 
channels, respectively. In practice, obtaining the eavesdropper’s channel state information (CSI) 
is impossible, since E is passive and typically keeps silent in CR networks. Motivated by this 
observation, a RN that maximizes the CD’s received SINR i.e. SINR^ is generally selected to 
forward its received signal, yielding the best RN selection criterion as 

Best RN = arg max SINRV (3) 

ien 

where TZ denotes the set of N RNs and SINR^ is given by (2). It can be observed from (3) that 
the CSIs of the CS-RN*, RNj-CD, PS-RNj and PS-CD channels are required in carrying out the 
relay selection without needing the eavesdropper’s CSI knowledge. Moreover, when a is set to 
0, the relay selection criterion as given by (3) degrades to the conventional so-called harmonic 
mean selection [13]. This is because that a = 0 implies no mutual interference occurring between 
the primary and secondary users, thus the cognitive transmission in this case becomes the same 
as the conventional wireless communications scenario. From (3), the capacity achieved at CD, 
denoted by Cd, can be determined by using the SDC to combine the two received signals from 
the “best” RN and CS, respectively. Also, the wiretap channel capacity achieved at E, denoted 
by Ce, can be similarly obtained. Like (1), the secrecy outage probability of the opportunistic 
relaying scheme can be obtained by calculating the probability that the difference between Cd 
and Ce falls below the secrecy rate Rg. Additionally, all the CS-CD, CS-RNj, RNj-CD, PS- 
CD, PS-RNj, PS-E, CS-E, RNj-E channels are modeled as independent Rayleigh fading with 
respective variances of and . 

In Fig. 5, we show the secrecy outage probability versus SNR jg of the direct transmission 
(i.e. CS directly transmits to CD without using RNs) and the opportunistic relaying for different 
number of RNs N. As shown in Fig. 5, for all the case of = 2, 4 and 6, the secrecy outage 
probability of the opportunistic relaying is even worse than that of the direct transmission in 
a low SNR region e.g. jg < —6dB. This is because that in the opportunistic relaying scheme, 
one half of a time slot is wasted by the chosen “best” RN to retransmit the CS’ signal to 
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Fig. 5. Secrecy outage probability comparison between the direct transmission and opportunistic relaying for different number 
of RNs N with Rs = O.lbit/s/Hz, Po = 0.8, 7 p = 5dB, = 1, = cr^g = 0.2, and cr^g = crfg = 0.1. 

CD, resulting in a certain loss of the secrecy capacity. It is pointed out that although the SDC 
method is considered at CD for combining its received signals from CS and the “best” RN, the 
capacity of the CS-CD channel (i.e. Cgd) is also scaled by one-half in the opportunistic relaying 
scheme, since CS transmits only in the first half time slot and remains silent in the second half 
slot which is occupied by the “best” RN to retransmit the CS’ signal. One can observe from 
Fig. 5 that as the SNR continues increasing, the opportunistic relaying becomes better than the 
direct transmission in terms of the secrecy outage probability, showing the performance benefit 
achieved by the proposed opportunistic relaying. 

Fig. 5 also shows that with a sufficiently high SNR, the direct transmission and opportunistic 
relaying schemes converge to their respective secrecy outage floors. Moreover, the secrecy outage 
floor of the opportunistic relaying is lower than that of the direct transmission. As shown in 
Fig. 5, as the number of RNs increases from = 2 to 6, the secrecy outage floor of the 
opportunistic relaying is significantly reduced, showing the physical-layer security advantage 
of exploiting RNs. This is due to the fact that with an increasing number of RNs, it is more 
likely to choose a RN that can succeed in defending against eavesdropping, thus leading to a 
reduced secrecy outage floor. Although the opportunistic relaying scheme can effectively protect 
the wireless transmissions against eavesdropping, it introduces additional system complexity 
due to the distributed relay management and synchronization. To be specific, multiple RNs are 
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distributed spatially in cognitive radio networks, which need to be effectively managed and 
synchronized for the sake of performing the opportunistic relay selection. Additionally, in the 
opportunistic relaying scheme, CD needs to combine its received signals from the “best” RN 
and CS, which comes at the cost of extra computational complexity for signal combining. 

V. Open Challenges and Future Work 

This section presents some future directions in the research field of cognitive relay security. 
Although the opportunistic relaying is shown to enhance the cognitive communications security, 
there are many challenging issues that still remain open at the time of writing. 

A. Joint Relay-and-Jammer Selection 

When CS transmits its signal to CD in the presence of an eavesdropper, a partner node can 
either be employed as a relay to assist the CS’ transmission for enhancing the signal quality 
received at CD, or act as a jammer to emit artificial noise for contaminating the eavesdropper’s 
signal reception. It is unclear whether it is beneficial to employ the node as a relay (or jammer) in 
terms of defending the CR communications against eavesdropping. Additionally, given multiple 
partner nodes available, some nodes may be selected for assisting the CS-CD transmission, 
while the others may be used as jammers for generating the artificial noise to interfere with 
the eavesdropper. This is called joint relay-and-jammer selection, which can be considered as 
a means for improving the cognitive communications security against eavesdropping. Although 
there are some existing efforts devoted to the joint relay-and-jammer selection, they are limited 
to the single-relay and single-jammer selection in non-cognitive radio networks. It is of interest 
to explore a more general framework of multi-relay and multi-jammer selection in cognitive 
radio networks. 

B. Untrusted Relay Detection and Prevention 

As discussed above, the physical-layer security of cognitive radio communications is signif¬ 
icantly improved by using the opportunistic relaying in terms of secrecy outage probability. 
Although the employment of relays is capable of enhancing the security of cognitive communi¬ 
cations against eavesdropping, the relays by themselves may not be trusted and attempt to tap 
the CR communications. For example, if a relay is captured and compromised by an adversary. 
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it becomes untrusted and launches malicious activities (e.g. eavesdropping) in CR networks. It 
remains unclear about the secrecy performance of CR communications in the face of untrusted 
relays, which may be considered for future work. Also, it is of high importance to explore the 
detection and prevention of untrusted relays in CR networks. 

C. Field Experiment for Opportunistic Relaying 

IEEE 802.22 is the first worldwide standard designed for the CR based wireless regional 
area network (WRAN), which enables unlicensed devices to operate in white spaces of the 
TV broadcast spectrum without causing harmful interference to incumbent users including the 
TV users and wireless microphones. It is necessary to carry out field experiments for testing 
the effectiveness of opportunistic relaying in real IEEE 802.22 WRANs in the presence of 
various attacks. Although the opportunistic relaying is shown to enhance the security of cognitive 
communications in terms of secrecy outage probability, its security benefit is only proved 
theoretically based on some simplified assumptions (e.g. perfect CSI knowledge is assumed). It 
is highly interest to investigate whether the opportunistic relaying is still effective in real WRAN 
environments in terms of defending against CR attacks. 

VI. Conclusion 

In this article, we first presented a comprehensive review on physical-layer attacks in CR 
networks, including the PUEA, sensing falsification, intelligence compromise, jamming and 
eavesdropping attacks. The physical-layer security of CR communications in the presence of 
an eavesdropper was then examined in terms of secrecy outage probability. It was shown that 
as the transmit power increases, the secrecy outage probability of cognitive communications 
initially decreases and finally converges to a fixed value, showing that a secrecy outage floor 
occurs in high SNR regions. In order to improve the physical-layer security of cognitive commu¬ 
nications, we considered the use of relays to assist the cognitive communications and proposed 
an opportunistic relaying scheme. Numerical results showed that upon increasing the number of 
relays, the opportunistic relaying can significantly reduce the secrecy outage floor of cognitive 
communications. Additionally, we pointed out some open challenges in the research field of 
exploiting relays for the physical-layer security of CR networks. 
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